From 1978a601164534622647bbe9b68325ee1767152c Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Wed, 17 May 2023 11:51:07 -0700 Subject: [PATCH 01/35] sg-integrationtest-includebaker add baking operations to allow policy test --- integration_test/docker-compose.yml | 22 +++- integration_test/flextesa.sh | 6 +- integration_test/flextesanobaking.sh | 18 +++ integration_test/octezclient.go | 19 ++- integration_test/operationkinds_test.go | 159 +++++++++++++++--------- integration_test/signatory.yaml | 2 +- 6 files changed, 160 insertions(+), 66 deletions(-) create mode 100755 integration_test/flextesanobaking.sh diff --git a/integration_test/docker-compose.yml b/integration_test/docker-compose.yml index e96f62ae..4e67367a 100644 --- a/integration_test/docker-compose.yml +++ b/integration_test/docker-compose.yml @@ -23,6 +23,26 @@ services: retries: 10 start_period: 1s + flextesanobaking: + container_name: flextesanobaking + image: oxheadalpha/flextesa:latest + ports: + - "30000:20000" + - "30001:20001" + networks: + - ecadnet + volumes: + - ./flextesanobaking.sh:/usr/bin/sigybox + environment: + - block_time=3 + command: sigybox $PROTOCOL + healthcheck: + test: "curl --fail http://localhost:20000/chains/main/blocks/head/header || exit 1" + interval: 1s + timeout: 1s + retries: 10 + start_period: 1s + octez: container_name: octez image: tezos/tezos:$OCTEZ_VERSION @@ -59,7 +79,7 @@ services: target: /etc/secret.json command: serve healthcheck: - test: "curl --fail http://localhost:6732/authorized_keys || exit 1" + test: "curl --fail http://localhost:9583/healthz || exit 1" interval: 1s timeout: 1s retries: 10 diff --git a/integration_test/flextesa.sh b/integration_test/flextesa.sh index 93d2ff87..ffaa0957 100755 --- a/integration_test/flextesa.sh +++ b/integration_test/flextesa.sh @@ -1,8 +1,6 @@ #! /bin/sh protocol=$1 -time_bb=${block_time:-1} - export alice="$(flextesa key alice)" export bob="$(flextesa key bob)" @@ -15,9 +13,9 @@ root_path=/tmp/mini-box flextesa mini-net \ --root "$root_path" --size 1 \ --set-history-mode N000:archive \ - --number-of-b 1 \ + --number-of-bootstrap-accounts 1 \ --balance-of-bootstrap-accounts tez:100_000_000 \ - --time-b "$time_bb" \ + --time-between-blocks='2,3,2' \ --add-bootstrap-account="$alice@2_000_000_000_000" \ --add-bootstrap-account="$speculos@2_000_000_000_000" \ --add-bootstrap-account="$bob@2_000_000_000_000" \ diff --git a/integration_test/flextesanobaking.sh b/integration_test/flextesanobaking.sh new file mode 100755 index 00000000..cfada16a --- /dev/null +++ b/integration_test/flextesanobaking.sh @@ -0,0 +1,18 @@ +#! /bin/sh + +protocol=$1 + +export opstest='opstest,edpkvSkEEfVMKvAv87env4kMNwLfuLYe7y7wXqgfvrwJwhJJpmL1GB,tz1RKGhRF4TZNCXEfwyqZshGsVfrZeVU446B,http://signatory:6732/tz1RKGhRF4TZNCXEfwyqZshGsVfrZeVU446B' + +root_path=/tmp/mini-box + +flextesa mini-net \ + --no-baking \ + --root "$root_path" --size 1 \ + --set-history-mode N000:archive \ + --number-of-bootstrap-accounts 0 \ + --remove-default-bootstrap-accounts \ + --time-between-blocks='2,3,2' \ + --add-bootstrap-account="$opstest@2_000_000_000_000" \ + --until-level 200_000_000 \ + --protocol-kind "$protocol" diff --git a/integration_test/octezclient.go b/integration_test/octezclient.go index 122cd64c..22658c52 100644 --- a/integration_test/octezclient.go +++ b/integration_test/octezclient.go @@ -11,12 +11,18 @@ func OctezClient(arg ...string) ([]byte, error) { return exec.Command(cmd, args...).CombinedOutput() } +func clean_tezos_folder() { + delete_contracts_aliases() + delete_wallet_lock() + delete_watermark_files() +} + func delete_wallet_lock() { var cmd = "docker" var args = []string{"exec", "octez", "rm", "-f", "/home/tezos/.tezos-client/wallet_lock"} out, err := exec.Command(cmd, args...).CombinedOutput() if err != nil { - panic("Failed to delete wallet lock: " + string(out)) + panic("Clean tezos: Failed to delete wallet lock: " + string(out)) } } @@ -25,6 +31,15 @@ func delete_contracts_aliases() { var args = []string{"exec", "octez", "rm", "-f", "/home/tezos/.tezos-client/contracts"} out, err := exec.Command(cmd, args...).CombinedOutput() if err != nil { - panic("Failed to delete contracts: " + string(out)) + panic("Clean tezos: Failed to delete contracts: " + string(out)) + } +} + +func delete_watermark_files() { + var cmd = "docker" + var args = []string{"exec", "octez", "/bin/sh", "-c", "rm -f /home/tezos/.tezos-client/*_highwatermarks"} + out, err := exec.Command(cmd, args...).CombinedOutput() + if err != nil { + panic("Clean tezos: Failed to delete watermarks: " + string(out)) } } diff --git a/integration_test/operationkinds_test.go b/integration_test/operationkinds_test.go index 634341a1..6e975009 100644 --- a/integration_test/operationkinds_test.go +++ b/integration_test/operationkinds_test.go @@ -17,87 +17,126 @@ const ( alias1 = "opstest1" contract = "contract.event.tz" contractAlias = "emit_event" + flextesanob = "http://flextesanobaking:20000" ) type testCase struct { - opName string - testSetupOps [][]string - testOp []string - account string - allowPolicy map[string][]string - notAllowPolicy map[string][]string + opName string + testSetupOps [][]string + testOp []string + account string + allowPolicy map[string][]string + notAllowPolicy map[string][]string + successMessage string + validateOctezReturn bool } // these test cases are not atomic -- some tests depend on previous tests (order matters) var testcases = []testCase{ { - opName: "reveal", - testSetupOps: [][]string{{"-w", "1", "transfer", "100", "from", "alice", "to", alias, "--burn-cap", "0.06425"}}, - testOp: []string{"reveal", "key", "for", alias}, - account: account, - allowPolicy: map[string][]string{"generic": {"reveal"}}, - notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"reveal"})}, + opName: "preendorsement", + testSetupOps: nil, + testOp: []string{"--endpoint", flextesanob, "preendorse", "for", alias, "--force"}, + account: account, + allowPolicy: map[string][]string{"generic": {"preendorsement"}, "preendorsement": {}}, + notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"preendorsement"}), "endorsement": {}, "block": {}}, + successMessage: "injected preendorsement", + validateOctezReturn: false, }, { - opName: "register_global_constant", - testSetupOps: nil, - testOp: []string{"register", "global", "constant", "999", "from", alias, "--burn-cap", "0.017"}, - account: account, - allowPolicy: map[string][]string{"generic": {"register_global_constant"}}, - notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"register_global_constant"})}, + opName: "endorsement", + testSetupOps: nil, + testOp: []string{"--endpoint", flextesanob, "endorse", "for", alias, "--force"}, + account: account, + allowPolicy: map[string][]string{"generic": {"endorsement"}, "endorsement": {}}, + notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"endorsement"}), "preendorsement": {}, "block": {}}, + successMessage: "injected endorsement", + validateOctezReturn: false, }, { - opName: "transaction", - testSetupOps: nil, - account: account, - testOp: []string{"transfer", "1", "from", alias, "to", "alice", "--burn-cap", "0.06425"}, - allowPolicy: map[string][]string{"generic": {"transaction"}}, - notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"transaction"})}, + opName: "reveal", + testSetupOps: [][]string{{"-w", "1", "transfer", "100", "from", "alice", "to", alias, "--burn-cap", "0.06425"}}, + testOp: []string{"reveal", "key", "for", alias}, + account: account, + allowPolicy: map[string][]string{"generic": {"reveal"}}, + notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"reveal"})}, + successMessage: "Operation successfully injected in the node", + validateOctezReturn: true, }, { - opName: "delegation", - testSetupOps: nil, - account: account, - testOp: []string{"register", "key", alias, "as", "delegate"}, - allowPolicy: map[string][]string{"generic": {"delegation"}}, - notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"delegation"})}, + opName: "register_global_constant", + testSetupOps: nil, + testOp: []string{"register", "global", "constant", "999", "from", alias, "--burn-cap", "0.017"}, + account: account, + allowPolicy: map[string][]string{"generic": {"register_global_constant"}}, + notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"register_global_constant"})}, + successMessage: "Operation successfully injected in the node", + validateOctezReturn: true, }, { - opName: "set_deposits_limit", - testSetupOps: nil, - account: account, - testOp: []string{"set", "deposits", "limit", "for", alias, "to", "10000"}, - allowPolicy: map[string][]string{"generic": {"set_deposits_limit"}}, - notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"set_deposits_limit"})}, + opName: "transaction", + testSetupOps: nil, + account: account, + testOp: []string{"transfer", "1", "from", alias, "to", "alice", "--burn-cap", "0.06425"}, + allowPolicy: map[string][]string{"generic": {"transaction"}}, + notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"transaction"})}, + successMessage: "Operation successfully injected in the node", + validateOctezReturn: true, }, { - opName: "update_consensus_key", - testSetupOps: nil, - account: account, - testOp: []string{"set", "consensus", "key", "for", alias, "to", alias1}, - allowPolicy: map[string][]string{"generic": {"update_consensus_key"}}, - notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"update_consensus_key"})}, + opName: "delegation", + testSetupOps: nil, + account: account, + testOp: []string{"register", "key", alias, "as", "delegate"}, + allowPolicy: map[string][]string{"generic": {"delegation"}}, + notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"delegation"})}, + successMessage: "Operation successfully injected in the node", + validateOctezReturn: true, }, { - opName: "origination", - testSetupOps: nil, - account: account, - testOp: []string{"originate", "contract", contractAlias, "transferring", "1", "from", alias, "running", contract, "--burn-cap", "0.4"}, - allowPolicy: map[string][]string{"generic": {"origination", "transaction"}}, - notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"origination"})}, + opName: "set_deposits_limit", + testSetupOps: nil, + account: account, + testOp: []string{"set", "deposits", "limit", "for", alias, "to", "10000"}, + allowPolicy: map[string][]string{"generic": {"set_deposits_limit"}}, + notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"set_deposits_limit"})}, + successMessage: "Operation successfully injected in the node", + validateOctezReturn: true, }, { - opName: "increase_paid_storage", - testSetupOps: nil, - account: account, - testOp: []string{"increase", "the", "paid", "storage", "of", contractAlias, "by", "0x5c", "bytes", "from", alias}, - allowPolicy: map[string][]string{"generic": {"increase_paid_storage"}}, - notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"increase_paid_storage"})}, + opName: "update_consensus_key", + testSetupOps: nil, + account: account, + testOp: []string{"set", "consensus", "key", "for", alias, "to", alias1}, + allowPolicy: map[string][]string{"generic": {"update_consensus_key"}}, + notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"update_consensus_key"})}, + successMessage: "Operation successfully injected in the node", + validateOctezReturn: true, + }, + { + opName: "origination", + testSetupOps: nil, + account: account, + testOp: []string{"originate", "contract", contractAlias, "transferring", "1", "from", alias, "running", contract, "--burn-cap", "0.4"}, + allowPolicy: map[string][]string{"generic": {"origination", "transaction"}}, + notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"origination"})}, + successMessage: "Operation successfully injected in the node", + validateOctezReturn: true, + }, + { + opName: "increase_paid_storage", + testSetupOps: nil, + account: account, + testOp: []string{"increase", "the", "paid", "storage", "of", contractAlias, "by", "0x5c", "bytes", "from", alias}, + allowPolicy: map[string][]string{"generic": {"increase_paid_storage"}}, + notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"increase_paid_storage"})}, + successMessage: "Operation successfully injected in the node", + validateOctezReturn: true, }, } func TestOperationAllowPolicy(t *testing.T) { - defer delete_contracts_aliases() + defer clean_tezos_folder() for _, test := range testcases { t.Run(test.opName, func(t *testing.T) { //first, do any setup steps that have to happen before the operation to be tested @@ -115,8 +154,12 @@ func TestOperationAllowPolicy(t *testing.T) { defer restore_config() restart_signatory() out, err := OctezClient(test.testOp...) - assert.Error(t, err) - require.Contains(t, string(out), "operation `"+test.opName+"' is not allowed") + if test.validateOctezReturn { + //the baking operations in octez-client do not return an error when they fail + //so, we do this assert when we can + assert.Error(t, err) + } + assert.Contains(t, string(out), "`"+test.opName+"' is not allowed") //finally, configure the operation being tested as the only one allowed and test it is successful c.Read(config) @@ -128,7 +171,7 @@ func TestOperationAllowPolicy(t *testing.T) { log.Println("error received: " + err.Error() + " " + string(out)) } assert.NoError(t, err) - require.Contains(t, string(out), "Operation successfully injected in the node") + assert.Contains(t, string(out), test.successMessage) }) } } diff --git a/integration_test/signatory.yaml b/integration_test/signatory.yaml index 82e8b470..5dc4a4bd 100644 --- a/integration_test/signatory.yaml +++ b/integration_test/signatory.yaml @@ -57,4 +57,4 @@ tezos: - transaction block: endorsement: - preendorsement: \ No newline at end of file + preendorsement: From 9c23e501574f6951ddf9a95b4064f5b18f3d71cc Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Wed, 17 May 2023 15:19:27 -0700 Subject: [PATCH 02/35] sg-integrationtest add block operation --- integration_test/operationkinds_test.go | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/integration_test/operationkinds_test.go b/integration_test/operationkinds_test.go index 6e975009..4096299d 100644 --- a/integration_test/operationkinds_test.go +++ b/integration_test/operationkinds_test.go @@ -53,6 +53,16 @@ var testcases = []testCase{ successMessage: "injected endorsement", validateOctezReturn: false, }, + { + opName: "block", + testSetupOps: nil, + testOp: []string{"--endpoint", flextesanob, "bake", "for", alias, "--force"}, + account: account, + allowPolicy: map[string][]string{"generic": {}, "block": {}}, + notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"block"}), "preendorsement": {}, "endorsement": {}}, + successMessage: ".baker.actions: injected for " + alias + " (" + account + ")", + validateOctezReturn: false, + }, { opName: "reveal", testSetupOps: [][]string{{"-w", "1", "transfer", "100", "from", "alice", "to", alias, "--burn-cap", "0.06425"}}, From 12107393a51ebb9d6e83cf42292be1027ae673ae Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 23 May 2023 15:53:18 -0700 Subject: [PATCH 03/35] sg-integrationtest add aws kms test and simple signatory-cli test --- integration_test/.env.current.amd64 | 2 + integration_test/.env.current.arm64 | 2 + integration_test/.env.next.amd64 | 2 + integration_test/.env.next.arm64 | 2 + integration_test/.env.vaults | 6 +++ integration_test/README.md | 44 ++++++++++++++-- integration_test/authorizedkeys_test.go | 2 +- integration_test/cli_test.go | 17 +++++++ integration_test/config.go | 14 +++--- integration_test/env.current.amd64 | 2 - integration_test/env.current.arm64 | 2 - integration_test/env.next.amd64 | 2 - integration_test/env.next.arm64 | 2 - integration_test/operationkinds_test.go | 7 ++- integration_test/service.go | 2 +- integration_test/signatory.yaml | 8 +++ integration_test/signatorycli.go | 12 +++++ integration_test/vault_aws_test.go | 67 +++++++++++++++++++++++++ 18 files changed, 170 insertions(+), 25 deletions(-) create mode 100644 integration_test/.env.current.amd64 create mode 100644 integration_test/.env.current.arm64 create mode 100644 integration_test/.env.next.amd64 create mode 100644 integration_test/.env.next.arm64 create mode 100644 integration_test/.env.vaults create mode 100644 integration_test/cli_test.go delete mode 100644 integration_test/env.current.amd64 delete mode 100644 integration_test/env.current.arm64 delete mode 100644 integration_test/env.next.amd64 delete mode 100644 integration_test/env.next.arm64 create mode 100644 integration_test/signatorycli.go create mode 100644 integration_test/vault_aws_test.go diff --git a/integration_test/.env.current.amd64 b/integration_test/.env.current.amd64 new file mode 100644 index 00000000..1131e215 --- /dev/null +++ b/integration_test/.env.current.amd64 @@ -0,0 +1,2 @@ +export OCTEZ_VERSION=amd64_v16.0-rc3 +export PROTOCOL=Mumbai diff --git a/integration_test/.env.current.arm64 b/integration_test/.env.current.arm64 new file mode 100644 index 00000000..2e6d2034 --- /dev/null +++ b/integration_test/.env.current.arm64 @@ -0,0 +1,2 @@ +export OCTEZ_VERSION=arm64_v16.0-rc3 +export PROTOCOL=Mumbai diff --git a/integration_test/.env.next.amd64 b/integration_test/.env.next.amd64 new file mode 100644 index 00000000..593d61b9 --- /dev/null +++ b/integration_test/.env.next.amd64 @@ -0,0 +1,2 @@ +export OCTEZ_VERSION=amd64_v17.0-beta1 +export PROTOCOL=Nairobi diff --git a/integration_test/.env.next.arm64 b/integration_test/.env.next.arm64 new file mode 100644 index 00000000..86550e19 --- /dev/null +++ b/integration_test/.env.next.arm64 @@ -0,0 +1,2 @@ +export OCTEZ_VERSION=arm64_v17.0-beta1 +export PROTOCOL=Nairobi diff --git a/integration_test/.env.vaults b/integration_test/.env.vaults new file mode 100644 index 00000000..613b52bc --- /dev/null +++ b/integration_test/.env.vaults @@ -0,0 +1,6 @@ +export VAULT_AWS_USER=${{ secrets.INTEGRATIONTEST_VAULT_AWS_USER }} +export VAULT_AWS_KEY=${{ secrets.INTEGRATIONTEST_VAULT_AWS_KEY }} +export VAULT_AWS_SECRET=${{ secrets.INTEGRATIONTEST_VAULT_AWS_SECRET }} +export VAULT_AWS_REGION=${{ secrets.INTEGRATIONTEST_VAULT_AWS_REGION }} +export VAULT_AWS_PKH_TZ2=${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ2 }} +export VAULT_AWS_PKH_TZ3=${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ3 }} diff --git a/integration_test/README.md b/integration_test/README.md index 9fc0c684..969b4ee4 100644 --- a/integration_test/README.md +++ b/integration_test/README.md @@ -32,22 +32,50 @@ echo $PAT |docker login ghcr.io -u --password-stdin cd integration_test ``` -Exporting the Environment Variables used by the test is required. Choose the set of env var to use from the files `env.current.arm64`, `env.next.arm64`, `env.current.amd64`, `env.next.amd64`. Use `current` if you'd like the economic protocol run by flextesa to match mainnet, use `next` if you'd like the next protocol instead. Use `arm64` or `amd64` depending on your host architecture. +Exporting the Environment Variables used by the test is required. There are 3 groups of environment variables to consider: -So, to set the env to use mainnet protocol, using a build of Signatory's `main` branch, on a macbook m1 host: +1. Signatory image +2. chain protocol and octez version +3. vault specifics + +### Signatory image env var + +using a build of Signatory's main branch, on a macbook m1 host: ```sh -export $(xargs Date: Tue, 23 May 2023 15:53:58 -0700 Subject: [PATCH 04/35] sg-integrationtest missed workflow changes last commit --- .github/workflows/build.yaml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 2f79cf9a..aed9e8bc 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -108,8 +108,8 @@ jobs: fail-fast: false matrix: testenvs: - - env.current.amd64 - - env.next.amd64 + - current.amd64 + - next.amd64 steps: - uses: actions/checkout@v2 - name: Login to DockerHub @@ -120,9 +120,16 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Run tests + env: + IMAGE: ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-amd64 + VAULT_AWS_USER: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_USER }} + VAULT_AWS_KEY: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_KEY }} + VAULT_AWS_SECRET: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_SECRET }} + VAULT_AWS_REGION: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_REGION }} + VAULT_AWS_PKH_TZ2: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ2 }} + VAULT_AWS_PKH_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ3 }} run: > - export $(xargs Date: Tue, 23 May 2023 20:45:53 -0700 Subject: [PATCH 05/35] sg-integrationtest revert config file --- integration_test/signatory.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/integration_test/signatory.yaml b/integration_test/signatory.yaml index e59d373b..4428489b 100644 --- a/integration_test/signatory.yaml +++ b/integration_test/signatory.yaml @@ -6,13 +6,6 @@ vaults: driver: file config: file: /etc/secret.json - aws: - driver: awskms - config: - user_name: stephen - access_key_id: AKIAWXBZ6RID2G4MXWIP - secret_access_key: 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 - region: us-west-2 tezos: #alice From 33e007ff1724878b242348c5af0128fa1f644388 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Wed, 24 May 2023 15:03:54 -0700 Subject: [PATCH 06/35] sg-integrationtest improve readme --- integration_test/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/integration_test/README.md b/integration_test/README.md index e9032dd7..8fea2401 100644 --- a/integration_test/README.md +++ b/integration_test/README.md @@ -54,15 +54,15 @@ export IMAGE=ghcr.io/ecadlabs/signatory:main-amd64 ### chain protocol and octez version env var -Choose the set of env var to use from the files `env.current.arm64`, `env.next.arm64`, `env.current.amd64`, `env.next.amd64`. Use `current` if you'd like the economic protocol run by flextesa to match mainnet, use `next` if you'd like the next protocol instead. Use `arm64` or `amd64` depending on your host architecture. +Choose the set of env var to use from the files `.env.current.arm64`, `.env.next.arm64`, `.env.current.amd64`, `.env.next.amd64`. Use `current` if you'd like the economic protocol run by flextesa to match mainnet, use `next` if you'd like the next protocol instead. Use `arm64` or `amd64` depending on your host architecture. -So, to set the env to use mainnet protocol on a macbook m1 host: +So, to set the env to use mainnet protocol on macbook m1 host: ```sh . .env.current.arm64 ``` -Likewise, to set the env to use the next protocol, using a build of Signatory's `main` branch, on an x86_64 host: +Likewise, to set the env to use the next protocol, using a build of Signatory's `main` branch, on x86_64 host: ```sh . .env.next.amd64 @@ -108,7 +108,7 @@ docker compose down ## Re-Running Tests -Most tests can be re-run successfully as detailed above. Some tests (like the `reveal` operation) can only be run once on a chain. So, when re-running all, stop the stack and bring it up again in between test runs. +Most tests can be re-run successfully as detailed above. Some tests (like the `reveal` operation) can only be run once on a chain. So, when re-running all, stop the stack and bring it up again in between test runs. ## Notes to the operator From f1c77a56f0c6760b61e47e3b06dd408c4568025d Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Thu, 25 May 2023 09:54:55 -0700 Subject: [PATCH 07/35] sg-integrationtest fix aws vault test --- integration_test/vault_aws_test.go | 38 +++++++++++++++--------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/integration_test/vault_aws_test.go b/integration_test/vault_aws_test.go index 533fec9d..fcf3c14f 100644 --- a/integration_test/vault_aws_test.go +++ b/integration_test/vault_aws_test.go @@ -20,25 +20,6 @@ func TestAWSVault(t *testing.T) { tz2alias := "awstz2" tz3alias := "awstz3" - //setup - out, err := OctezClient("transfer", "100", "from", "alice", "to", tz2, "--burn-cap", "0.06425") - assert.NoError(t, err) - require.Contains(t, string(out), "Operation successfully injected in the node") - - out, err = OctezClient("transfer", "100", "from", "alice", "to", tz3, "--burn-cap", "0.06425") - assert.NoError(t, err) - require.Contains(t, string(out), "Operation successfully injected in the node") - - out, err = OctezClient("import", "secret", "key", tz2alias, "http://signatory:6732/"+tz2) - assert.NoError(t, err) - assert.Contains(t, string(out), "Tezos address added: "+tz2) - defer OctezClient("forget", "address", tz2alias, "--force") - - out, err = OctezClient("import", "secret", "key", tz3alias, "http://signatory:6732/"+tz3) - assert.NoError(t, err) - assert.Contains(t, string(out), "Tezos address added: "+tz3) - defer OctezClient("forget", "address", tz3alias, "--force") - //config var c Config c.Read() @@ -55,6 +36,25 @@ func TestAWSVault(t *testing.T) { defer restore_config() restart_signatory() + //setup + out, err := OctezClient("import", "secret", "key", tz2alias, "http://signatory:6732/"+tz2) + assert.NoError(t, err) + assert.Contains(t, string(out), "Tezos address added: "+tz2) + defer OctezClient("forget", "address", tz2alias, "--force") + + out, err = OctezClient("import", "secret", "key", tz3alias, "http://signatory:6732/"+tz3) + assert.NoError(t, err) + assert.Contains(t, string(out), "Tezos address added: "+tz3) + defer OctezClient("forget", "address", tz3alias, "--force") + + out, err = OctezClient("transfer", "100", "from", "alice", "to", tz2alias, "--burn-cap", "0.06425") + assert.NoError(t, err) + require.Contains(t, string(out), "Operation successfully injected in the node") + + out, err = OctezClient("transfer", "100", "from", "alice", "to", tz3alias, "--burn-cap", "0.06425") + assert.NoError(t, err) + require.Contains(t, string(out), "Operation successfully injected in the node") + //test //TODO: resolve issue #364 and enable the tz2 test //out, err = OctezClient("transfer", "1", "from", tz2alias, "to", "alice", "--burn-cap", "0.06425") From 6cee403d668c6c5426c8c38058ba86c0519811e6 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Fri, 26 May 2023 16:46:23 -0700 Subject: [PATCH 08/35] sg-integrationtest add gcp vault --- .github/workflows/build.yaml | 11 +++++++++++ integration_test/.env.vaults | 10 ++++++++++ integration_test/README.md | 8 ++++++++ integration_test/docker-compose.yml | 6 ++++++ 4 files changed, 35 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index aed9e8bc..ae73dcb2 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -128,8 +128,19 @@ jobs: VAULT_AWS_REGION: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_REGION }} VAULT_AWS_PKH_TZ2: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ2 }} VAULT_AWS_PKH_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ3 }} + VAULT_GCP_PROJECTID: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_PROJECTID }} + VAULT_GCP_PRIVATEKEYID: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_PRIVATEKEYID }} + VAULT_GCP_PRIVATEKEY: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_PRIVATEKEY }} + VAULT_GCP_CLIENTEMAIL: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_CLIENTEMAIL }} + VAULT_GCP_CLIENTID: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_CLIENTID }} + VAULT_GCP_X509_URL: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_X509_URL }} + VAULT_GCP_KEYRING: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_KEYRING }} + VAULT_GCP_LOCATION: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_LOCATION }} + VAULT_GCP_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_TZ3 }} + run: > . integration_test/.env.${{ matrix.testenvs }}; + envsubst < integration_test/gcp-token-template.json > integration_test/gcp-token.json docker compose -f integration_test/docker-compose.yml up -d --wait --pull always; docker exec octez sudo chown -R tezos /home/tezos/.tezos-client; go test $(go list ./... | grep integration_test); diff --git a/integration_test/.env.vaults b/integration_test/.env.vaults index 613b52bc..684750ea 100644 --- a/integration_test/.env.vaults +++ b/integration_test/.env.vaults @@ -4,3 +4,13 @@ export VAULT_AWS_SECRET=${{ secrets.INTEGRATIONTEST_VAULT_AWS_SECRET }} export VAULT_AWS_REGION=${{ secrets.INTEGRATIONTEST_VAULT_AWS_REGION }} export VAULT_AWS_PKH_TZ2=${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ2 }} export VAULT_AWS_PKH_TZ3=${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ3 }} + +export VAULT_GCP_PROJECTID=${{ secrets.INTEGRATIONTEST_VAULT_GCP_PROJECTID }} +export VAULT_GCP_PRIVATEKEYID=${{ secrets.INTEGRATIONTEST_VAULT_GCP_PRIVATEKEYID }} +export VAULT_GCP_PRIVATEKEY=${{ secrets.INTEGRATIONTEST_VAULT_GCP_PRIVATEKEY }} +export VAULT_GCP_CLIENTEMAIL=${{ secrets.INTEGRATIONTEST_VAULT_GCP_CLIENTEMAIL }} +export VAULT_GCP_CLIENTID=${{ secrets.INTEGRATIONTEST_VAULT_GCP_CLIENTID }} +export VAULT_GCP_X509_URL=${{ secrets.INTEGRATIONTEST_VAULT_GCP_X509_URL }} +export VAULT_GCP_KEYRING=${{ secrets.INTEGRATIONTEST_VAULT_GCP_KEYRING }} +export VAULT_GCP_LOCATION=${{ secrets.INTEGRATIONTEST_VAULT_GCP_LOCATION }} +export VAULT_GCP_TZ3=${{ secrets.INTEGRATIONTEST_VAULT_GCP_TZ3 }} diff --git a/integration_test/README.md b/integration_test/README.md index 8fea2401..4d07239e 100644 --- a/integration_test/README.md +++ b/integration_test/README.md @@ -76,6 +76,14 @@ Github secrets are used to define vault env var used in github workflows. To run . .env.vaults ``` +### optional: using GCP vault + +If you want to run GCP vault tests you need to substitute GCP vault env var into the GCP token file that gets mounted to Signatory file system: + +```sh +envsubst < gcp-token-template.json > gcp-token.json +``` + Next, start the stack: ```sh diff --git a/integration_test/docker-compose.yml b/integration_test/docker-compose.yml index 4e67367a..36592ee6 100644 --- a/integration_test/docker-compose.yml +++ b/integration_test/docker-compose.yml @@ -77,6 +77,10 @@ services: target: /etc/signatory.yaml - source: sigy-secret target: /etc/secret.json + - source: gcp-token + target: /etc/gcp-token.json + environment: + - GOOGLE_APPLICATION_CREDENTIALS=/etc/gcp-token.json command: serve healthcheck: test: "curl --fail http://localhost:9583/healthz || exit 1" @@ -90,3 +94,5 @@ configs: file: ./signatory.yaml sigy-secret: file: ./signatory-local-secret.json + gcp-token: + file: ./gcp-token.json From fbeaf772980639895504651432f44dda09f1b352 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Fri, 26 May 2023 16:59:36 -0700 Subject: [PATCH 09/35] sg-integration-addgcp missed files --- integration_test/gcp-token-template.json | 12 ++++++ integration_test/vault_gcp_test.go | 48 ++++++++++++++++++++++++ 2 files changed, 60 insertions(+) create mode 100644 integration_test/gcp-token-template.json create mode 100644 integration_test/vault_gcp_test.go diff --git a/integration_test/gcp-token-template.json b/integration_test/gcp-token-template.json new file mode 100644 index 00000000..25f0d40b --- /dev/null +++ b/integration_test/gcp-token-template.json @@ -0,0 +1,12 @@ +{ + "type": "service_account", + "project_id": "$VAULT_GCP_PROJECTID", + "private_key_id": "$VAULT_GCP_PRIVATEKEYID", + "private_key": "$VAULT_GCP_PRIVATEKEY", + "client_email": "$VAULT_GCP_CLIENTEMAIL", + "client_id": "$VAULT_GCP_CLIENTID", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://oauth2.googleapis.com/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "$VAULT_GCP_X509_URL" + } \ No newline at end of file diff --git a/integration_test/vault_gcp_test.go b/integration_test/vault_gcp_test.go new file mode 100644 index 00000000..f27debbd --- /dev/null +++ b/integration_test/vault_gcp_test.go @@ -0,0 +1,48 @@ +package integrationtest + +import ( + "os" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestGCPVault(t *testing.T) { + + project := os.Getenv("VAULT_GCP_PROJECTID") + location := os.Getenv("VAULT_GCP_LOCATION") + keyring := os.Getenv("VAULT_GCP_KEYRING") + tz3 := os.Getenv("VAULT_GCP_TZ3") + tz3alias := "gcptz3" + + //config + var c Config + c.Read() + var v VaultConfig + v.Driver = "cloudkms" + v.Conf = map[string]*string{"project": &project, "location": &location, "key_ring": &keyring} + c.Vaults["gcp"] = &v + var p TezosPolicy + p.LogPayloads = true + p.Allow = map[string][]string{"generic": {"reveal", "transaction"}} + c.Tezos[tz3] = &p + backup_then_update_config(c) + defer restore_config() + restart_signatory() + + //setup + out, err := OctezClient("import", "secret", "key", tz3alias, "http://signatory:6732/"+tz3) + assert.NoError(t, err) + assert.Contains(t, string(out), "Tezos address added: "+tz3) + defer OctezClient("forget", "address", tz3alias, "--force") + + out, err = OctezClient("transfer", "100", "from", "alice", "to", tz3alias, "--burn-cap", "0.06425") + assert.NoError(t, err) + require.Contains(t, string(out), "Operation successfully injected in the node") + + //test + out, err = OctezClient("transfer", "1", "from", tz3alias, "to", "alice", "--burn-cap", "0.06425") + assert.NoError(t, err) + require.Contains(t, string(out), "Operation successfully injected in the node") +} From 6c3388413d97507963751fc2bf533bd576bc9b00 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Fri, 26 May 2023 17:21:41 -0700 Subject: [PATCH 10/35] sg-integrationtest-addgcp fix workflow, forgot semicolon --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index ae73dcb2..7f528617 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -140,7 +140,7 @@ jobs: run: > . integration_test/.env.${{ matrix.testenvs }}; - envsubst < integration_test/gcp-token-template.json > integration_test/gcp-token.json + envsubst < integration_test/gcp-token-template.json > integration_test/gcp-token.json; docker compose -f integration_test/docker-compose.yml up -d --wait --pull always; docker exec octez sudo chown -R tezos /home/tezos/.tezos-client; go test $(go list ./... | grep integration_test); From c6fc7b7587be74dd6099ff069520e2dff2efda7e Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Mon, 29 May 2023 08:40:33 -0700 Subject: [PATCH 11/35] sg-integrationtest add to gitignore integration_test stuffs --- .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index 3f14d2e9..f51e085c 100644 --- a/.gitignore +++ b/.gitignore @@ -23,3 +23,7 @@ dist .docker-creds signatory signatory-cli + +# some integration_tests write secret env var to files +integration_test/gcp-token.json +integration_test/.env.vaults.cicd From d8e510c256c0194bc872d5f564f434ef68f4b360 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Mon, 29 May 2023 17:17:02 -0700 Subject: [PATCH 12/35] sg-intgrationtest add AZ vault --- .github/workflows/build.yaml | 10 ++++++++++ .gitignore | 1 + integration_test/.env.vaults | 10 ++++++++++ integration_test/README.md | 11 +++++++---- integration_test/docker-compose.yml | 4 ++++ 5 files changed, 32 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 7f528617..5ec78a3c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -128,6 +128,15 @@ jobs: VAULT_AWS_REGION: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_REGION }} VAULT_AWS_PKH_TZ2: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ2 }} VAULT_AWS_PKH_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ3 }} + VAULT_AZ_CLIENTCERTTHUMB: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_CLIENTCERTTHUMB }} + VAULT_AZ_CLIENTID: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_CLIENTID }} + VAULT_AZ_RESGROUP: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_RESGROUP }} + VAULT_AZ_SP_KEY: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_SP_KEY }} + VAULT_AZ_SUBID: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_SUBID }} + VAULT_AZ_TENANTID: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_TENANTID }} + VAULT_AZ_VAULT: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_VAULT }} + VAULT_AZ_TZ2: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_TZ2 }} + VAULT_AZ_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_TZ3 }} VAULT_GCP_PROJECTID: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_PROJECTID }} VAULT_GCP_PRIVATEKEYID: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_PRIVATEKEYID }} VAULT_GCP_PRIVATEKEY: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_PRIVATEKEY }} @@ -141,6 +150,7 @@ jobs: run: > . integration_test/.env.${{ matrix.testenvs }}; envsubst < integration_test/gcp-token-template.json > integration_test/gcp-token.json; + echo $VAULT_AZ_SP_KEY >service-principal.key; docker compose -f integration_test/docker-compose.yml up -d --wait --pull always; docker exec octez sudo chown -R tezos /home/tezos/.tezos-client; go test $(go list ./... | grep integration_test); diff --git a/.gitignore b/.gitignore index f51e085c..95654ed3 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ signatory-cli # some integration_tests write secret env var to files integration_test/gcp-token.json integration_test/.env.vaults.cicd +integration_test/service-principal.key \ No newline at end of file diff --git a/integration_test/.env.vaults b/integration_test/.env.vaults index 684750ea..850d6fa0 100644 --- a/integration_test/.env.vaults +++ b/integration_test/.env.vaults @@ -5,6 +5,16 @@ export VAULT_AWS_REGION=${{ secrets.INTEGRATIONTEST_VAULT_AWS_REGION }} export VAULT_AWS_PKH_TZ2=${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ2 }} export VAULT_AWS_PKH_TZ3=${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ3 }} +export VAULT_AZ_CLIENTCERTTHUMB=${{ secrets.INTEGRATIONTEST_VAULT_AZ_CLIENTCERTTHUMB }} +export VAULT_AZ_CLIENTID=${{ secrets.INTEGRATIONTEST_VAULT_AZ_CLIENTID }} +export VAULT_AZ_RESGROUP=${{ secrets.INTEGRATIONTEST_VAULT_AZ_RESGROUP }} +export VAULT_AZ_SP_KEY=${{ secrets.INTEGRATIONTEST_VAULT_AZ_SP_KEY }} +export VAULT_AZ_SUBID=${{ secrets.INTEGRATIONTEST_VAULT_AZ_SUBID }} +export VAULT_AZ_TENANTID=${{ secrets.INTEGRATIONTEST_VAULT_AZ_TENANTID }} +export VAULT_AZ_VAULT=${{ secrets.INTEGRATIONTEST_VAULT_AZ_VAULT }} +export VAULT_AZ_TZ2=${{ secrets.INTEGRATIONTEST_VAULT_AZ_TZ2 }} +export VAULT_AZ_TZ3=${{ secrets.INTEGRATIONTEST_VAULT_AZ_TZ3 }} + export VAULT_GCP_PROJECTID=${{ secrets.INTEGRATIONTEST_VAULT_GCP_PROJECTID }} export VAULT_GCP_PRIVATEKEYID=${{ secrets.INTEGRATIONTEST_VAULT_GCP_PRIVATEKEYID }} export VAULT_GCP_PRIVATEKEY=${{ secrets.INTEGRATIONTEST_VAULT_GCP_PRIVATEKEY }} diff --git a/integration_test/README.md b/integration_test/README.md index 4d07239e..5c45ffc8 100644 --- a/integration_test/README.md +++ b/integration_test/README.md @@ -4,7 +4,7 @@ The tests in this folder use a docker compose file to orchestrate the starting o The version of Signatory that is run is defined by an environment variable named `IMAGE`. -The `octez-client` that is run by the tests is provided by the `tezos` container, not the `octez-client` that is onboard the `flextesa` image, so that official `tezos` image releases can be used. The version of `tezos` container is defined by an environment variable named `OCTEZ_VERSION`. +The `octez-client` that is run by the tests is provided by the `tezos` container. The version of `tezos` container is defined by an environment variable named `OCTEZ_VERSION`. Currently, it is always the `latest` version of the `flextesa` image that is run by the tests. The economic protocol run by flextesa is defined by an environment variable named `PROTOCOL` @@ -76,14 +76,17 @@ Github secrets are used to define vault env var used in github workflows. To run . .env.vaults ``` -### optional: using GCP vault - -If you want to run GCP vault tests you need to substitute GCP vault env var into the GCP token file that gets mounted to Signatory file system: +### using GCP vault ```sh envsubst < gcp-token-template.json > gcp-token.json ``` +### using AZ vault + +```sh +echo $VAULT_AZ_SP_KEY >service-principal.key + Next, start the stack: ```sh diff --git a/integration_test/docker-compose.yml b/integration_test/docker-compose.yml index 36592ee6..9b89e8c5 100644 --- a/integration_test/docker-compose.yml +++ b/integration_test/docker-compose.yml @@ -79,6 +79,8 @@ services: target: /etc/secret.json - source: gcp-token target: /etc/gcp-token.json + - source: az-sp-key + target: /etc/service-principal.key environment: - GOOGLE_APPLICATION_CREDENTIALS=/etc/gcp-token.json command: serve @@ -96,3 +98,5 @@ configs: file: ./signatory-local-secret.json gcp-token: file: ./gcp-token.json + az-sp-key: + file: ./service-principal.key From 5431f78f23674c1e5a46afa1022b7c317a21406e Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Mon, 29 May 2023 17:18:48 -0700 Subject: [PATCH 13/35] sg-integrationtest add AZ vault test --- integration_test/vault_az_test.go | 70 +++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 integration_test/vault_az_test.go diff --git a/integration_test/vault_az_test.go b/integration_test/vault_az_test.go new file mode 100644 index 00000000..d377c9d9 --- /dev/null +++ b/integration_test/vault_az_test.go @@ -0,0 +1,70 @@ +package integrationtest + +import ( + "os" + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" +) + +func TestAZVault(t *testing.T) { + + spkey := "/etc/service-principal.key" + + thumb := os.Getenv("VAULT_AZ_CLIENTCERTTHUMB") + clientid := os.Getenv("VAULT_AZ_CLIENTID") + resgroup := os.Getenv("VAULT_AZ_RESGROUP") + subid := os.Getenv("VAULT_AZ_SUBID") + tenantid := os.Getenv("VAULT_AZ_TENANTID") + vault := os.Getenv("VAULT_AZ_VAULT") + + tz2 := os.Getenv("VAULT_AZ_TZ2") + tz3 := os.Getenv("VAULT_AZ_TZ3") + + tz2alias := "aztz2" + tz3alias := "aztz3" + + //config + var c Config + c.Read() + var v VaultConfig + v.Driver = "azure" + v.Conf = map[string]*string{"vault": &vault, "tenant_id": &tenantid, "client_id": &clientid, "client_private_key": &spkey, "client_certificate_thumbprint": &thumb, "subscription_id": &subid, "resource_group": &resgroup} + c.Vaults["azure"] = &v + var p TezosPolicy + p.LogPayloads = true + p.Allow = map[string][]string{"generic": {"reveal", "transaction"}} + c.Tezos[tz2] = &p + c.Tezos[tz3] = &p + backup_then_update_config(c) + defer restore_config() + restart_signatory() + + //setup + out, err := OctezClient("import", "secret", "key", tz2alias, "http://signatory:6732/"+tz2) + assert.NoError(t, err) + assert.Contains(t, string(out), "Tezos address added: "+tz2) + defer OctezClient("forget", "address", tz2alias, "--force") + out, err = OctezClient("import", "secret", "key", tz3alias, "http://signatory:6732/"+tz3) + assert.NoError(t, err) + assert.Contains(t, string(out), "Tezos address added: "+tz3) + defer OctezClient("forget", "address", tz3alias, "--force") + + out, err = OctezClient("transfer", "100", "from", "alice", "to", tz2alias, "--burn-cap", "0.06425") + assert.NoError(t, err) + require.Contains(t, string(out), "Operation successfully injected in the node") + out, err = OctezClient("transfer", "100", "from", "alice", "to", tz3alias, "--burn-cap", "0.06425") + assert.NoError(t, err) + require.Contains(t, string(out), "Operation successfully injected in the node") + + //test + /* the tz2 key produces invalid signature 50% of the time from octez-client perspective + out, err = OctezClient("transfer", "1", "from", tz2alias, "to", "alice", "--burn-cap", "0.06425") + assert.NoError(t, err) + require.Contains(t, string(out), "Operation successfully injected in the node") + */ + out, err = OctezClient("transfer", "1", "from", tz3alias, "to", "alice", "--burn-cap", "0.06425") + assert.NoError(t, err) + require.Contains(t, string(out), "Operation successfully injected in the node") +} From e374f93c56ef9b82f35d1d0aba3eb973dbff756b Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Mon, 29 May 2023 17:24:02 -0700 Subject: [PATCH 14/35] sg-integrationtest add AZ missed merge conflict resolution --- .github/workflows/build.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 48816777..5ec78a3c 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -128,7 +128,6 @@ jobs: VAULT_AWS_REGION: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_REGION }} VAULT_AWS_PKH_TZ2: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ2 }} VAULT_AWS_PKH_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ3 }} -<<<<<<< HEAD VAULT_AZ_CLIENTCERTTHUMB: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_CLIENTCERTTHUMB }} VAULT_AZ_CLIENTID: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_CLIENTID }} VAULT_AZ_RESGROUP: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_RESGROUP }} @@ -138,8 +137,6 @@ jobs: VAULT_AZ_VAULT: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_VAULT }} VAULT_AZ_TZ2: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_TZ2 }} VAULT_AZ_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_AZ_TZ3 }} -======= ->>>>>>> main VAULT_GCP_PROJECTID: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_PROJECTID }} VAULT_GCP_PRIVATEKEYID: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_PRIVATEKEYID }} VAULT_GCP_PRIVATEKEY: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_PRIVATEKEY }} @@ -153,10 +150,7 @@ jobs: run: > . integration_test/.env.${{ matrix.testenvs }}; envsubst < integration_test/gcp-token-template.json > integration_test/gcp-token.json; -<<<<<<< HEAD echo $VAULT_AZ_SP_KEY >service-principal.key; -======= ->>>>>>> main docker compose -f integration_test/docker-compose.yml up -d --wait --pull always; docker exec octez sudo chown -R tezos /home/tezos/.tezos-client; go test $(go list ./... | grep integration_test); From 567cda3fdc89fd1f310a65f51a09483fedb8a0c3 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Mon, 29 May 2023 17:41:57 -0700 Subject: [PATCH 15/35] sg-integrationtest add AZ, fix path in workflow --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 5ec78a3c..0a9c58d0 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -150,7 +150,7 @@ jobs: run: > . integration_test/.env.${{ matrix.testenvs }}; envsubst < integration_test/gcp-token-template.json > integration_test/gcp-token.json; - echo $VAULT_AZ_SP_KEY >service-principal.key; + echo $VAULT_AZ_SP_KEY >integration_test/service-principal.key; docker compose -f integration_test/docker-compose.yml up -d --wait --pull always; docker exec octez sudo chown -R tezos /home/tezos/.tezos-client; go test $(go list ./... | grep integration_test); From 407db235b7bf1d0d951b76497938c3e12aec21c3 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Mon, 29 May 2023 22:29:32 -0700 Subject: [PATCH 16/35] sg-integrationtest add debug for troubleshoot workflow --- integration_test/service.go | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/integration_test/service.go b/integration_test/service.go index ea0e6b6d..5d1fad87 100644 --- a/integration_test/service.go +++ b/integration_test/service.go @@ -1,6 +1,7 @@ package integrationtest import ( + "fmt" "os/exec" ) @@ -9,8 +10,9 @@ func restart_signatory() { if err != nil { panic("failed to stop signatory") } - _, err = exec.Command("docker", "compose", "-f", "./docker-compose.yml", "up", "-d", "--wait", "signatory").CombinedOutput() + out, err := exec.Command("docker", "compose", "-f", "./docker-compose.yml", "up", "-d", "--wait", "signatory").CombinedOutput() if err != nil { + fmt.Println("restart signatory: failed to start: " + string(out)) panic("failed to start signatory during restart") } } From 72e13573ba9bd2a4ba9f52a16d5677bab0994be1 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 13:56:07 -0700 Subject: [PATCH 17/35] debugging AZ vault --- .github/workflows/build.yaml | 15 +++++++------- integration_test/vault_az_test.go | 34 ------------------------------- 2 files changed, 8 insertions(+), 41 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 0a9c58d0..ef60afe8 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -148,10 +148,11 @@ jobs: VAULT_GCP_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_TZ3 }} run: > - . integration_test/.env.${{ matrix.testenvs }}; - envsubst < integration_test/gcp-token-template.json > integration_test/gcp-token.json; - echo $VAULT_AZ_SP_KEY >integration_test/service-principal.key; - docker compose -f integration_test/docker-compose.yml up -d --wait --pull always; - docker exec octez sudo chown -R tezos /home/tezos/.tezos-client; - go test $(go list ./... | grep integration_test); - docker compose -f integration_test/docker-compose.yml kill; + cd integration_test + . .env.${{ matrix.testenvs }}; + envsubst < gcp-token-template.json > gcp-token.json; + echo $VAULT_AZ_SP_KEY >service-principal.key; + go test -run ^TestAZVault; + docker pull $IMAGE + docker run --name signatory --rm -v `echo $PWD`/service-principal.key:/etc/service-principal.key -v `echo $PWD`/signatory.yaml:/etc/signatory.yaml -v `echo $PWD`/signatory-local-secret.json:/etc/secret.json -p 6732:6732 -p 9583:9583 $IMAGE serve; + \ No newline at end of file diff --git a/integration_test/vault_az_test.go b/integration_test/vault_az_test.go index d377c9d9..c2818487 100644 --- a/integration_test/vault_az_test.go +++ b/integration_test/vault_az_test.go @@ -3,9 +3,6 @@ package integrationtest import ( "os" "testing" - - "github.com/stretchr/testify/assert" - "github.com/stretchr/testify/require" ) func TestAZVault(t *testing.T) { @@ -22,9 +19,6 @@ func TestAZVault(t *testing.T) { tz2 := os.Getenv("VAULT_AZ_TZ2") tz3 := os.Getenv("VAULT_AZ_TZ3") - tz2alias := "aztz2" - tz3alias := "aztz3" - //config var c Config c.Read() @@ -38,33 +32,5 @@ func TestAZVault(t *testing.T) { c.Tezos[tz2] = &p c.Tezos[tz3] = &p backup_then_update_config(c) - defer restore_config() - restart_signatory() - - //setup - out, err := OctezClient("import", "secret", "key", tz2alias, "http://signatory:6732/"+tz2) - assert.NoError(t, err) - assert.Contains(t, string(out), "Tezos address added: "+tz2) - defer OctezClient("forget", "address", tz2alias, "--force") - out, err = OctezClient("import", "secret", "key", tz3alias, "http://signatory:6732/"+tz3) - assert.NoError(t, err) - assert.Contains(t, string(out), "Tezos address added: "+tz3) - defer OctezClient("forget", "address", tz3alias, "--force") - - out, err = OctezClient("transfer", "100", "from", "alice", "to", tz2alias, "--burn-cap", "0.06425") - assert.NoError(t, err) - require.Contains(t, string(out), "Operation successfully injected in the node") - out, err = OctezClient("transfer", "100", "from", "alice", "to", tz3alias, "--burn-cap", "0.06425") - assert.NoError(t, err) - require.Contains(t, string(out), "Operation successfully injected in the node") - //test - /* the tz2 key produces invalid signature 50% of the time from octez-client perspective - out, err = OctezClient("transfer", "1", "from", tz2alias, "to", "alice", "--burn-cap", "0.06425") - assert.NoError(t, err) - require.Contains(t, string(out), "Operation successfully injected in the node") - */ - out, err = OctezClient("transfer", "1", "from", tz3alias, "to", "alice", "--burn-cap", "0.06425") - assert.NoError(t, err) - require.Contains(t, string(out), "Operation successfully injected in the node") } From bda2cedcc0044c930ffb65ebec1d7a5843389ed8 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 14:00:38 -0700 Subject: [PATCH 18/35] debug integration test --- .github/workflows/build.yaml | 82 ------------------------------------ 1 file changed, 82 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index ef60afe8..edb61f4f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -18,88 +18,6 @@ env: CC_BINARY_URL: https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 jobs: - test: - name: Test - runs-on: ubuntu-latest - steps: - - uses: actions/setup-go@v3 - with: - go-version: '1.20.3' - - uses: actions/checkout@v3 - - name: Setup Code Climate test-reporter - run: | - curl -L "$CC_BINARY_URL" > ./cc-test-reporter - chmod +x ./cc-test-reporter - - name: Run tests - run: | - export GIT_COMMIT_SHA='${{ github.sha }}' - export GIT_BRANCH="$(echo '${{ github.ref }}' | sed -E -e 's/.*\/(.*)/\1/')" - export CC_TEST_REPORTER_ID='${{ secrets.CC_TEST_REPORTER_ID }}' - - ./cc-test-reporter before-build - - echo "Running tests..." - go test $(go list ./... | grep -v integration_test) -coverprofile c.out ./... - - mod="$(cat go.mod | awk '/^module/ {print $2}')" - - if [[ ! -z "$CC_TEST_REPORTER_ID" ]]; then - echo "Generating coverage report..." - ./cc-test-reporter after-build -p "${mod}/" -t gocov - fi - - publish: - name: Goreleaser - runs-on: ubuntu-latest - needs: test - steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - name: Login to DockerHub - uses: docker/login-action@v2 - if: "!startsWith(github.ref, 'refs/tags/v')" - with: - registry: ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Write release-env file - uses: DamianReeves/write-file-action@v1.0 - if: startsWith(github.ref, 'refs/tags/v') - with: - path: ${{ github.workspace }}/.release-env - contents: | - DOCKER_FAIL_ON_LOGIN_ERROR=true - GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} - DOCKER_USERNAME=${{ secrets.DOCKER_USERNAME }} - DOCKER_PASSWORD=${{ secrets.DOCKER_PASSWORD }} - - - name: goreleaser release preview - run: make release-preview - if: "!startsWith(github.ref, 'refs/tags/v')" - - - name: Tag Docker images appropriately - run: > - docker tag ghcr.io/ecadlabs/signatory:${{ github.sha }}-amd64 ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-amd64; - docker tag ghcr.io/ecadlabs/signatory:${{ github.sha }}-arm64 ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-arm64; - docker tag ghcr.io/ecadlabs/signatory:${{ github.sha }}-armv7 ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-armv7; - if: "!startsWith(github.ref, 'refs/tags/v')" - - - name: Push Signatory preview images to GH Container Registry - run: > - docker push ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-amd64; - docker push ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-arm64; - docker push ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-armv7; - if: "!startsWith(github.ref, 'refs/tags/v')" - - - name: goreleaser release - run: make release - if: startsWith(github.ref, 'refs/tags/v') - integration-tests: if: "!startsWith(github.ref, 'refs/tags/v')" needs: publish From 976b088fdc8b9c01d13deccba23502a00778ab71 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 14:01:24 -0700 Subject: [PATCH 19/35] debug integration test --- .github/workflows/build.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index edb61f4f..ee9ff881 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -20,7 +20,6 @@ env: jobs: integration-tests: if: "!startsWith(github.ref, 'refs/tags/v')" - needs: publish runs-on: ubuntu-latest strategy: fail-fast: false From 81396f16f3efc2916e5763a9ba14aaaaac06101a Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 14:03:08 -0700 Subject: [PATCH 20/35] debug integration test --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index ee9ff881..f19f5cf0 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -65,7 +65,7 @@ jobs: VAULT_GCP_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_TZ3 }} run: > - cd integration_test + cd integration_test; . .env.${{ matrix.testenvs }}; envsubst < gcp-token-template.json > gcp-token.json; echo $VAULT_AZ_SP_KEY >service-principal.key; From e76adac91af2af719c405707312ab89b501ce094 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 14:04:28 -0700 Subject: [PATCH 21/35] debug integration test --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index f19f5cf0..c0baf352 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -71,5 +71,5 @@ jobs: echo $VAULT_AZ_SP_KEY >service-principal.key; go test -run ^TestAZVault; docker pull $IMAGE - docker run --name signatory --rm -v `echo $PWD`/service-principal.key:/etc/service-principal.key -v `echo $PWD`/signatory.yaml:/etc/signatory.yaml -v `echo $PWD`/signatory-local-secret.json:/etc/secret.json -p 6732:6732 -p 9583:9583 $IMAGE serve; + docker run --rm -v `echo $PWD`/service-principal.key:/etc/service-principal.key -v `echo $PWD`/signatory.yaml:/etc/signatory.yaml -v `echo $PWD`/signatory-local-secret.json:/etc/secret.json -p 6732:6732 -p 9583:9583 $IMAGE serve; \ No newline at end of file From 60e483a10503668ca906b72e23f2a0381a6ca0bc Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 14:05:44 -0700 Subject: [PATCH 22/35] debug integration test --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index c0baf352..32c16ad3 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -71,5 +71,5 @@ jobs: echo $VAULT_AZ_SP_KEY >service-principal.key; go test -run ^TestAZVault; docker pull $IMAGE - docker run --rm -v `echo $PWD`/service-principal.key:/etc/service-principal.key -v `echo $PWD`/signatory.yaml:/etc/signatory.yaml -v `echo $PWD`/signatory-local-secret.json:/etc/secret.json -p 6732:6732 -p 9583:9583 $IMAGE serve; + docker run -v `echo $PWD`/service-principal.key:/etc/service-principal.key -v `echo $PWD`/signatory.yaml:/etc/signatory.yaml -v `echo $PWD`/signatory-local-secret.json:/etc/secret.json -p 6732:6732 -p 9583:9583 $IMAGE serve; \ No newline at end of file From 716c26273cf31248b3b8e9c58495c6830a7b5224 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 14:07:23 -0700 Subject: [PATCH 23/35] debug integration test --- .github/workflows/build.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 32c16ad3..98e2bcb4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -70,6 +70,6 @@ jobs: envsubst < gcp-token-template.json > gcp-token.json; echo $VAULT_AZ_SP_KEY >service-principal.key; go test -run ^TestAZVault; - docker pull $IMAGE - docker run -v `echo $PWD`/service-principal.key:/etc/service-principal.key -v `echo $PWD`/signatory.yaml:/etc/signatory.yaml -v `echo $PWD`/signatory-local-secret.json:/etc/secret.json -p 6732:6732 -p 9583:9583 $IMAGE serve; + docker pull $IMAGE; + docker run --name signatory --rm -v `echo $PWD`/service-principal.key:/etc/service-principal.key -v `echo $PWD`/signatory.yaml:/etc/signatory.yaml -v `echo $PWD`/signatory-local-secret.json:/etc/secret.json -p 6732:6732 -p 9583:9583 $IMAGE serve; \ No newline at end of file From aac23a6d5d71e94b0fc23d8a426b1d6c09a3e28f Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 14:12:40 -0700 Subject: [PATCH 24/35] debug integration test --- .github/workflows/build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 98e2bcb4..3cf57775 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -69,6 +69,7 @@ jobs: . .env.${{ matrix.testenvs }}; envsubst < gcp-token-template.json > gcp-token.json; echo $VAULT_AZ_SP_KEY >service-principal.key; + wc -c service-principal.key; go test -run ^TestAZVault; docker pull $IMAGE; docker run --name signatory --rm -v `echo $PWD`/service-principal.key:/etc/service-principal.key -v `echo $PWD`/signatory.yaml:/etc/signatory.yaml -v `echo $PWD`/signatory-local-secret.json:/etc/secret.json -p 6732:6732 -p 9583:9583 $IMAGE serve; From 322cb8460274cc85b634fc6f101dda588acd1bbb Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 14:28:58 -0700 Subject: [PATCH 25/35] debug integration test --- .github/workflows/build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 3cf57775..cf45cde8 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -69,6 +69,7 @@ jobs: . .env.${{ matrix.testenvs }}; envsubst < gcp-token-template.json > gcp-token.json; echo $VAULT_AZ_SP_KEY >service-principal.key; + chmod 777 service-principal.key; wc -c service-principal.key; go test -run ^TestAZVault; docker pull $IMAGE; From d142dab87370df4bcef28c530e73d4f5c027dbb1 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 14:38:29 -0700 Subject: [PATCH 26/35] debug integration test --- .github/workflows/build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index cf45cde8..fdb882d1 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -73,5 +73,6 @@ jobs: wc -c service-principal.key; go test -run ^TestAZVault; docker pull $IMAGE; + docker run --name signatory --rm -v `echo $PWD`/service-principal.key:/etc/service-principal.key $IMAGE wc -c /etc/service-principal.key; docker run --name signatory --rm -v `echo $PWD`/service-principal.key:/etc/service-principal.key -v `echo $PWD`/signatory.yaml:/etc/signatory.yaml -v `echo $PWD`/signatory-local-secret.json:/etc/secret.json -p 6732:6732 -p 9583:9583 $IMAGE serve; \ No newline at end of file From 079bbe894fa0320b89f32123b3d015d660f63bb7 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 14:45:21 -0700 Subject: [PATCH 27/35] debug integration test --- .github/workflows/build.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index fdb882d1..cf45cde8 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -73,6 +73,5 @@ jobs: wc -c service-principal.key; go test -run ^TestAZVault; docker pull $IMAGE; - docker run --name signatory --rm -v `echo $PWD`/service-principal.key:/etc/service-principal.key $IMAGE wc -c /etc/service-principal.key; docker run --name signatory --rm -v `echo $PWD`/service-principal.key:/etc/service-principal.key -v `echo $PWD`/signatory.yaml:/etc/signatory.yaml -v `echo $PWD`/signatory-local-secret.json:/etc/secret.json -p 6732:6732 -p 9583:9583 $IMAGE serve; \ No newline at end of file From 2984618ccd773de38062aba003282c1579d94ba5 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 15:01:15 -0700 Subject: [PATCH 28/35] debug integration test --- .github/workflows/build.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index cf45cde8..72137967 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -72,6 +72,7 @@ jobs: chmod 777 service-principal.key; wc -c service-principal.key; go test -run ^TestAZVault; + wc -c signatory.yaml; docker pull $IMAGE; docker run --name signatory --rm -v `echo $PWD`/service-principal.key:/etc/service-principal.key -v `echo $PWD`/signatory.yaml:/etc/signatory.yaml -v `echo $PWD`/signatory-local-secret.json:/etc/secret.json -p 6732:6732 -p 9583:9583 $IMAGE serve; \ No newline at end of file From 559455d1733c2fbd8502f6388f958b7581e4bcf6 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 15:31:54 -0700 Subject: [PATCH 29/35] debug integration test add ssh --- .github/workflows/build.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 72137967..275e0cd5 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -74,5 +74,7 @@ jobs: go test -run ^TestAZVault; wc -c signatory.yaml; docker pull $IMAGE; - docker run --name signatory --rm -v `echo $PWD`/service-principal.key:/etc/service-principal.key -v `echo $PWD`/signatory.yaml:/etc/signatory.yaml -v `echo $PWD`/signatory-local-secret.json:/etc/secret.json -p 6732:6732 -p 9583:9583 $IMAGE serve; - \ No newline at end of file + - name: Setup tmate session + uses: mxschmitt/action-tmate@v3 + with: + limit-access-to-actor: true \ No newline at end of file From 0f1b7c2a31c6f83fb517a2f2edd563df5cde7ada Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 15:36:29 -0700 Subject: [PATCH 30/35] debug integration test add ssh --- .github/workflows/build.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 275e0cd5..cf883561 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -63,7 +63,6 @@ jobs: VAULT_GCP_KEYRING: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_KEYRING }} VAULT_GCP_LOCATION: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_LOCATION }} VAULT_GCP_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_TZ3 }} - run: > cd integration_test; . .env.${{ matrix.testenvs }}; @@ -74,7 +73,8 @@ jobs: go test -run ^TestAZVault; wc -c signatory.yaml; docker pull $IMAGE; + - name: Setup tmate session - uses: mxschmitt/action-tmate@v3 - with: - limit-access-to-actor: true \ No newline at end of file + uses: mxschmitt/action-tmate@v3 + with: + limit-access-to-actor: true From fa92106c91cee22f36521d0f8de4659fe9cdfadf Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 17:06:08 -0700 Subject: [PATCH 31/35] debug integration test --- .github/workflows/build.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index cf883561..eb1a7220 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -67,8 +67,7 @@ jobs: cd integration_test; . .env.${{ matrix.testenvs }}; envsubst < gcp-token-template.json > gcp-token.json; - echo $VAULT_AZ_SP_KEY >service-principal.key; - chmod 777 service-principal.key; + echo $VAULT_AZ_SP_KEY |base64 -d >service-principal.key; wc -c service-principal.key; go test -run ^TestAZVault; wc -c signatory.yaml; From c8761f1177bbb5c7e66095646cd7214bffa1fb86 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 17:16:00 -0700 Subject: [PATCH 32/35] debug AZ vault - use base64 encoded secret --- .github/workflows/build.yaml | 19 +++++++---------- integration_test/vault_az_test.go | 34 +++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 12 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index eb1a7220..b0cc7317 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -63,17 +63,12 @@ jobs: VAULT_GCP_KEYRING: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_KEYRING }} VAULT_GCP_LOCATION: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_LOCATION }} VAULT_GCP_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_GCP_TZ3 }} + run: > - cd integration_test; - . .env.${{ matrix.testenvs }}; - envsubst < gcp-token-template.json > gcp-token.json; + . integration_test/.env.${{ matrix.testenvs }}; + envsubst < integration_test/gcp-token-template.json > integration_test/gcp-token.json; echo $VAULT_AZ_SP_KEY |base64 -d >service-principal.key; - wc -c service-principal.key; - go test -run ^TestAZVault; - wc -c signatory.yaml; - docker pull $IMAGE; - - - name: Setup tmate session - uses: mxschmitt/action-tmate@v3 - with: - limit-access-to-actor: true + docker compose -f integration_test/docker-compose.yml up -d --wait --pull always; + docker exec octez sudo chown -R tezos /home/tezos/.tezos-client; + go test $(go list ./... | grep integration_test); + docker compose -f integration_test/docker-compose.yml kill; diff --git a/integration_test/vault_az_test.go b/integration_test/vault_az_test.go index c2818487..d377c9d9 100644 --- a/integration_test/vault_az_test.go +++ b/integration_test/vault_az_test.go @@ -3,6 +3,9 @@ package integrationtest import ( "os" "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" ) func TestAZVault(t *testing.T) { @@ -19,6 +22,9 @@ func TestAZVault(t *testing.T) { tz2 := os.Getenv("VAULT_AZ_TZ2") tz3 := os.Getenv("VAULT_AZ_TZ3") + tz2alias := "aztz2" + tz3alias := "aztz3" + //config var c Config c.Read() @@ -32,5 +38,33 @@ func TestAZVault(t *testing.T) { c.Tezos[tz2] = &p c.Tezos[tz3] = &p backup_then_update_config(c) + defer restore_config() + restart_signatory() + + //setup + out, err := OctezClient("import", "secret", "key", tz2alias, "http://signatory:6732/"+tz2) + assert.NoError(t, err) + assert.Contains(t, string(out), "Tezos address added: "+tz2) + defer OctezClient("forget", "address", tz2alias, "--force") + out, err = OctezClient("import", "secret", "key", tz3alias, "http://signatory:6732/"+tz3) + assert.NoError(t, err) + assert.Contains(t, string(out), "Tezos address added: "+tz3) + defer OctezClient("forget", "address", tz3alias, "--force") + + out, err = OctezClient("transfer", "100", "from", "alice", "to", tz2alias, "--burn-cap", "0.06425") + assert.NoError(t, err) + require.Contains(t, string(out), "Operation successfully injected in the node") + out, err = OctezClient("transfer", "100", "from", "alice", "to", tz3alias, "--burn-cap", "0.06425") + assert.NoError(t, err) + require.Contains(t, string(out), "Operation successfully injected in the node") + //test + /* the tz2 key produces invalid signature 50% of the time from octez-client perspective + out, err = OctezClient("transfer", "1", "from", tz2alias, "to", "alice", "--burn-cap", "0.06425") + assert.NoError(t, err) + require.Contains(t, string(out), "Operation successfully injected in the node") + */ + out, err = OctezClient("transfer", "1", "from", tz3alias, "to", "alice", "--burn-cap", "0.06425") + assert.NoError(t, err) + require.Contains(t, string(out), "Operation successfully injected in the node") } From e41e0ff691698f394abb94351e1bf9046e286d19 Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 17:18:34 -0700 Subject: [PATCH 33/35] debug AZ vault - fix path in workflow --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index b0cc7317..96f045a0 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -67,7 +67,7 @@ jobs: run: > . integration_test/.env.${{ matrix.testenvs }}; envsubst < integration_test/gcp-token-template.json > integration_test/gcp-token.json; - echo $VAULT_AZ_SP_KEY |base64 -d >service-principal.key; + echo $VAULT_AZ_SP_KEY |base64 -d >integration_test/service-principal.key; docker compose -f integration_test/docker-compose.yml up -d --wait --pull always; docker exec octez sudo chown -R tezos /home/tezos/.tezos-client; go test $(go list ./... | grep integration_test); From 161fb05c24f20dcfe4b5c244725732af871632dd Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Tue, 30 May 2023 17:29:46 -0700 Subject: [PATCH 34/35] restore build file after debugging. add to info to README --- .github/workflows/build.yaml | 83 ++++++++++++++++++++++++++++++++++++ integration_test/README.md | 2 + 2 files changed, 85 insertions(+) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 96f045a0..d8495129 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -18,8 +18,91 @@ env: CC_BINARY_URL: https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 jobs: + test: + name: Test + runs-on: ubuntu-latest + steps: + - uses: actions/setup-go@v3 + with: + go-version: '1.20.3' + - uses: actions/checkout@v3 + - name: Setup Code Climate test-reporter + run: | + curl -L "$CC_BINARY_URL" > ./cc-test-reporter + chmod +x ./cc-test-reporter + - name: Run tests + run: | + export GIT_COMMIT_SHA='${{ github.sha }}' + export GIT_BRANCH="$(echo '${{ github.ref }}' | sed -E -e 's/.*\/(.*)/\1/')" + export CC_TEST_REPORTER_ID='${{ secrets.CC_TEST_REPORTER_ID }}' + + ./cc-test-reporter before-build + + echo "Running tests..." + go test $(go list ./... | grep -v integration_test) -coverprofile c.out ./... + + mod="$(cat go.mod | awk '/^module/ {print $2}')" + + if [[ ! -z "$CC_TEST_REPORTER_ID" ]]; then + echo "Generating coverage report..." + ./cc-test-reporter after-build -p "${mod}/" -t gocov + fi + + publish: + name: Goreleaser + runs-on: ubuntu-latest + needs: test + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v2 + - name: Set up QEMU + uses: docker/setup-qemu-action@v2 + - name: Login to DockerHub + uses: docker/login-action@v2 + if: "!startsWith(github.ref, 'refs/tags/v')" + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Write release-env file + uses: DamianReeves/write-file-action@v1.0 + if: startsWith(github.ref, 'refs/tags/v') + with: + path: ${{ github.workspace }}/.release-env + contents: | + DOCKER_FAIL_ON_LOGIN_ERROR=true + GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} + DOCKER_USERNAME=${{ secrets.DOCKER_USERNAME }} + DOCKER_PASSWORD=${{ secrets.DOCKER_PASSWORD }} + + - name: goreleaser release preview + run: make release-preview + if: "!startsWith(github.ref, 'refs/tags/v')" + + - name: Tag Docker images appropriately + run: > + docker tag ghcr.io/ecadlabs/signatory:${{ github.sha }}-amd64 ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-amd64; + docker tag ghcr.io/ecadlabs/signatory:${{ github.sha }}-arm64 ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-arm64; + docker tag ghcr.io/ecadlabs/signatory:${{ github.sha }}-armv7 ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-armv7; + if: "!startsWith(github.ref, 'refs/tags/v')" + + - name: Push Signatory preview images to GH Container Registry + run: > + docker push ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-amd64; + docker push ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-arm64; + docker push ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-armv7; + if: "!startsWith(github.ref, 'refs/tags/v')" + + - name: goreleaser release + run: make release + if: startsWith(github.ref, 'refs/tags/v') + integration-tests: if: "!startsWith(github.ref, 'refs/tags/v')" + needs: publish runs-on: ubuntu-latest strategy: fail-fast: false diff --git a/integration_test/README.md b/integration_test/README.md index cda38476..8cc4e79b 100644 --- a/integration_test/README.md +++ b/integration_test/README.md @@ -127,3 +127,5 @@ Most tests can be re-run successfully as detailed above. Some tests (like the ` ## Notes to the operator Some tests in this folder make edits to `signatory.yaml` configuration and restart the Signatory service. By design, tests that do this shall clean up after themselves by restoring the copy of the file that is in the code repository. If `git status` after a test run shows you have modifications to the `signatory.yaml` file, then that would mean a test is failing to clean up after itself and should be corrected. Function `backup_then_update_config()` and `defer restore_config()` should be used by tests that edit config. Likewise, `git status` may show you new files in the `.tezos-client` folder, another indication of a test not cleaning up after itself. Function `clean_tezos_folder()` should be used by tests that leave state behind in `.tezos-client`. + +The PEM file that is used for AZ authentication is stored in env var `VAULT_AZ_SP_KEY` which in github actions is supplied via secret `${{ secrets.INTEGRATIONTEST_VAULT_AZ_SP_KEY }}`. Because github secrets do not support multiline values, the PEM file content was base64 encoded before entered as the value of the secret. From 4aafa6928351dec90029660041e0805ff5386c4b Mon Sep 17 00:00:00 2001 From: stephengaudet Date: Wed, 31 May 2023 13:21:36 -0700 Subject: [PATCH 35/35] sg-integrationtest-addaz use base64 encoded key on workstation, too. --- integration_test/README.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/integration_test/README.md b/integration_test/README.md index 8cc4e79b..6f1e2f0f 100644 --- a/integration_test/README.md +++ b/integration_test/README.md @@ -87,7 +87,7 @@ envsubst < gcp-token-template.json > gcp-token.json ### using AZ vault ```sh -echo $VAULT_AZ_SP_KEY >service-principal.key +echo $VAULT_AZ_SP_KEY |base64 -d >service-principal.key ``` Next, start the stack: @@ -128,4 +128,10 @@ Most tests can be re-run successfully as detailed above. Some tests (like the ` Some tests in this folder make edits to `signatory.yaml` configuration and restart the Signatory service. By design, tests that do this shall clean up after themselves by restoring the copy of the file that is in the code repository. If `git status` after a test run shows you have modifications to the `signatory.yaml` file, then that would mean a test is failing to clean up after itself and should be corrected. Function `backup_then_update_config()` and `defer restore_config()` should be used by tests that edit config. Likewise, `git status` may show you new files in the `.tezos-client` folder, another indication of a test not cleaning up after itself. Function `clean_tezos_folder()` should be used by tests that leave state behind in `.tezos-client`. -The PEM file that is used for AZ authentication is stored in env var `VAULT_AZ_SP_KEY` which in github actions is supplied via secret `${{ secrets.INTEGRATIONTEST_VAULT_AZ_SP_KEY }}`. Because github secrets do not support multiline values, the PEM file content was base64 encoded before entered as the value of the secret. +The PEM file that is used for AZ authentication is stored in env var `VAULT_AZ_SP_KEY` which in github actions is supplied via secret `${{ secrets.INTEGRATIONTEST_VAULT_AZ_SP_KEY }}`. Because github secrets do not support multiline values, the PEM file content was base64 encoded before entered as the value of the secret. With the private key in a file named `service-principal.key` the base64 value is generated by: + +```sh +cat service-principal.key|base64 -e >service-principal.base64 +``` + +The string value in file `service-principal.base64` is then used in env var `VAULT_AZ_SP_KEY`.